Score
Domain knowledge of legal frameworks (e.g., HIPAA, CCPA, GDPR) that define obligations for consent, data subject rights, breach notification, data minimization and protections for personal or health information, and the technical and organizational measures required to achieve and demonstrate compliance.
This paper addresses the challenges of GDPR compliance, ambiguous accountability, and high manual auditing costs in cross-organizational distributed data processing. Methodologically, it introduces the first automated compliance framework integrating legal expert judgment with formal reasoning: (i) a purpose-limitation–driven GDPR ontology and semantic model; (ii) a novel deep extension of eFLINT and XACML to support legally precise policy modeling and verifiable enforcement; and (iii) an automated normative reasoning engine that generates auditable legality justifications. Contributions include: transparent and accountable data access control; empirical validation across multiple distributed data space prototypes demonstrating completeness of legal argumentation, accuracy of policy enforcement, and seamless system integrability; and significant reduction in organizational compliance overhead and legal risk.
This paper addresses the regulatory misalignment between the EU’s Cyber Resilience Act (CRA) and the General Data Protection Regulation (GDPR). Using comparative legal analysis, requirements mapping modeling, and normative semantic parsing, it systematically establishes the first structured mapping of their security requirements. The study identifies six shared security requirements—spanning confidentiality, integrity, and availability—and originality distills seven novel core security obligations introduced by the CRA, clarifying how they extend and reconfigure existing compliance frameworks. By bridging a critical gap in requirements engineering driven by regulatory evolution, the work delivers a traceable, actionable cross-regulatory requirements alignment framework. This framework provides theoretical foundations and practical guidance for legally compliant security design across the full lifecycle of secure products.
This paper examines how the General Data Protection Regulation (GDPR) is reshaping global data governance, focusing on institutional tensions between the GDPR and the 1995 Data Protection Directive as well as U.S. privacy law, and its heterogeneous regulatory impacts across diverse business entities. Method: Drawing on doctrinal legal analysis, comparative law, and policy impact assessment—framed within regulatory mechanism design theory—the study systematically evaluates GDPR’s operational logic and extraterritorial effects. Contribution/Results: The paper proposes a novel information governance paradigm anchored in three pillars: enterprise-level internal control mechanisms, data localization practices, and meaningful human involvement in automated decision-making. It elucidates the GDPR’s structural bias favoring direct-to-consumer firms in compliance efficiency and demonstrates how the regulation is catalyzing a fundamental reconfiguration of data-driven business models under heightened protection standards.
This study addresses the challenge of operationalizing GDPR compliance in software engineering—specifically, how to realize “Privacy by Design” (PbD) at the requirements and system specification levels while reconciling heterogeneous stakeholder interests and ensuring semantic consistency and traceability between legal provisions and technical specifications. We propose a formal modeling approach grounded in original legal concepts, systematically mapping GDPR articles to reusable privacy requirement patterns. Integrating systematic literature analysis, industry interviews, and requirements modeling, we develop a joint specification framework supporting cross-layer abstraction and transparent, bidirectional traceability. Empirical evaluation demonstrates that the framework significantly improves the accuracy of privacy requirement elicitation and the transparency of regulatory specification, thereby providing a scalable, methodology-driven foundation for law–technology co-governance.
This study investigates how data protection regulations (e.g., GDPR, CCPA) impact open-source software (OSS) development practices, focusing on the reporting, discussion, and resolution of personal-data-related issues in GitHub projects. Using an exploratory empirical approach—combining inductive thematic coding, annotating reporter roles and issue states, and conducting relevance-based statistical analysis—the authors systematically identify six recurrent categories of data protection issues. Results show that such issues are predominantly reported by non-core contributors; resolution rates are low and rely heavily on non-technical negotiation rather than code-level fixes; and a structural tension exists between regulatory compliance requirements and OSS development culture. This work is the first to empirically demonstrate how data protection obligations are substantively embedded within OSS development workflows, thereby bridging regulatory compliance and OSS engineering practice. It provides foundational evidence and design insights for developing compliance-aware open-source governance mechanisms.
This study addresses the prevailing Eurocentric bias in digital privacy research, which has predominantly focused on regulations like the GDPR while overlooking user concerns and compliance variations across diverse global legal regimes. To bridge this gap, the authors propose a unified abstract framework grounded in the data lifecycle, enabling formal mapping of heterogeneous privacy laws from multiple jurisdictions onto a common structure through legal text analysis and cross-jurisdictional norm alignment. This approach constitutes the first systematic effort to model global privacy compliance beyond GDPR-centrism. By offering actionable guidance for multinational organizations and facilitating privacy-by-design practices adaptable to pluralistic legal environments, the framework significantly broadens both the theoretical scope and practical applicability of privacy research.
This work addresses the limitations of existing data governance tools, which struggle to dynamically adapt to emerging regulations such as India’s Digital Personal Data Protection (DPDP) Act and often lack transparency and explainability, leading to inadequate compliance. To bridge this gap, the paper introduces the first goal-driven agent framework specifically designed for data compliance. The framework integrates a KYU Agent and a Compliance Agent that jointly leverage semantic understanding, user trust modeling, and data sensitivity reasoning, embedding regulatory logic directly into the system to ensure auditable and interpretable decisions. It incorporates anonymization strategies—including masking, pseudonymization, and generalization—and demonstrates significant improvements in DPDP compliance across ten domains, including healthcare, education, and e-commerce, enabling transparent, efficient, and cross-domain adaptive data governance.
This study addresses the widespread lack of compliance disclosures regarding data privacy regulations—such as GDPR and CCPA—in AI datasets hosted on the Hugging Face platform, which poses significant regulatory risks. For the first time, the paper introduces “compliance readiness” as a core dimension of dataset quality and systematically evaluates transparency in data provenance, processing workflows, and handling of sensitive information. Through an analysis of 11,682 public datasets—combining automated text mining of dataset cards with manual sampling and review—the research reveals that the vast majority fail to clearly document their creation processes or data sources, and only a small fraction explicitly identify sensitive fields such as personally identifiable information (PII). These findings highlight critical gaps in current practices and provide an empirical foundation for developing standardized tools and benchmarks for assessing dataset compliance.
Current automated auditing tools for GDPR/CCPA compliance lack systematic support for diverse web-based consent forms—extending beyond cookie banners—to verify core legal requirements such as freedom of choice, purpose specification, and ease of withdrawal. Method: This paper introduces Cosmic, the first end-to-end automated framework for detecting GDPR consent violations across heterogeneous web forms. Cosmic integrates DOM parsing, OCR-enhanced form recognition, legal semantic modeling, and structured joint reasoning over form elements to enable interpretable, requirement-specific validation. Contribution/Results: Evaluated on 5,823 websites and 3,598 consent forms, Cosmic achieves a true positive rate (TPR) of 98.6% for consent-form detection and 99.1% for violation identification, covering 94.1% of identified consent forms and detecting 3,384 distinct violations. Cosmic fills a critical gap in form-level consent auditing and establishes a novel paradigm for automated, explainable privacy compliance assessment.
This work addresses the error-prone and labor-intensive process of manually translating regulatory texts such as the GDPR and the EU AI Act into actionable software requirements. The authors propose Reg2Req, the first end-to-end automated pipeline that leverages natural language processing to identify regulatory provisions, generate system-agnostic software requirements accompanied by plain-language explanations, and establish traceability links. The approach supports requirement classification, use case seed generation, and cross-reference analysis, achieving macro-averaged F1 scores of 0.82 on the GDPR and 0.78 on the EU AI Act. A user study demonstrates that the generated plain-language explanations significantly enhance users’ comprehension and confidence in taking compliance actions (p < 0.001), with all participants expressing willingness to adopt the output as a starting point for compliance efforts.